Due to the limited amount of impacted companies with insurance and the deployment of a quick fix to mitigate losses, Guy Carpenter said the insured losses from the CrowdStrike outage is likely between $300 million and $1 billion.
The leading reinsurance broker’s analysis considered that the global IT outage earlier this month affected a small percentage of devices—though those that were hit caused widespread global operational disruptions. Aviation, healthcare, retail, financial services and hospitality were among the industries impacted, but less than 1 percent of companies with cyber insurance were affected, Guy Carpenter said.
In addition, many organizations were able to fix the problem caused by Crowdstrike’s endpoint-detection-and-response (EDR) product update on Microsoft devices before the clock started on business interruption losses. Many cyber insurance policies have a waiting period built in. Guy Carpenter said these waiting periods typically range from 4 to 12 hours.
The company said its findings “align with the conclusion that this event would not result in a material loss for most insurers, although this could change based on the wordings adopted by carriers, concentration of underwriting within affected industry sectors, and uptake of system failure coverage.”
Guy Carpenter pegs the cyber insurance industry as a $15.8 billion market, based on gross premiums. Its insured-loss estimate is fairly in line with others released since the incident. CyberCube said insured losses could range from $400 million to $1.5 billion. Modeling and insurance services firm Parametrix estimated insurers will pick up between $540 million and $1.08 billion.
Modeling the CrowdStrike event was not easy, according to Guy Carpenter, since some cyber catastrophe model vendors only examine malicious events. Other modelers have accidental scenarios, and while they may not be directly comparable to the CrowdStrike outage, they “can form a basis to derive a loss estimate.” This resulted in the firm’s development of a 5-step approach to get to a potential loss from this event.
“If the outage remains limited in scope, it will give greater perspective to underwriting for business interruption and system failure. This technology outage highlights the increased risk faced by organizations that rely on widely deployed software running on a dominant operating system provided by commonly used vendors,” Guy Carpenter added.
The broker also said the marketplace may want to rethink its view of cyber risk and consider frequency as well as market-shifting, large catastrophe losses.
“Rather than bracing for the single super cat, perhaps the market should be more concerned with the growing litter of “Kitty Cats”—midsize events that meet the criteria for a cat loss, but at a smaller scale,” Guy Carpenter said.
According to the broker, the cyber market has dealt with five of these so-called Kitty Cats since March 2023—MoveIT, Change Healthcare, CDK Global, CrowdStrike, and Snowflake—which, when grouped together in one treaty period, “could generate [more than] a 10% loss ratio impact to the industry, which is more in line with the expectation for a single super cat.” These types of events are hard to predict and model, Guy Carpenter added.